[one-users] OpenNebula 3.2.1 econe-server and SSL proxy

Daniel Molina dmolina at opennebula.org
Fri Feb 3 02:57:16 PST 2012


On 3 February 2012 11:30, Ulrich Schwickerath
<ulrich.schwickerath at cern.ch> wrote:
> Hi, Daniel,
>
> thanks a lot for the help on this. The problem with the ssl proxy was that I
> was missing an extra / at the end of the ssl_server directive. So one needs
>
> :ssl_server: https://cloud.opennebula.org/
>
> rather than
>
> :ssl_server: https://cloud.opennebula.org
>
> else I get authentication errors. However, this is not the end of the story
> I'm afraid. With this patch in place I can query the system, but it's very
> very slow. My most important user has some 500 VMs in the system, and a
> euca-describe-instances
> times out or gives expat parse errors. If I query the system locally it
> works fine and is very responsive. This problem is new in 3.2.1, I didn't
> have this in 3.0 which I was using before. I already checked that I have all
> rubygems installed which are needed.

Are you using the same client in both sides? Maybe It is an
environment problem (EC2_URL)

>
> Any idea?
>
> Thanks!
> Ulrich
>
>
>
>
> On 02/02/2012 11:40 PM, Daniel Molina wrote:
>>
>> Hi Ulrich,
>>
>> We have added a new patch in order to support custom paths and ports
>> when setting up an SSL proxy on top of the econe-server. You can see
>> this patch in the following link:
>>
>> http://dev.opennebula.org/issues/985
>>
>> This patch has been included in the last release (3.2.1). I recommend
>> you to upgrade to this version. Also the performance should be
>> improved since we have included a new authentication cache.
>>
>> Currently the econe-server is running in our public cloud with an SSL
>> proxy, using the following configuration:
>>
>> $ cat econe.conf
>> # Host and port where econe server will run
>> :server: localhost
>> :port: 7141
>>
>> # SSL proxy that serves the API (set if is being used)
>> :ssl_server: https://cloud.opennebula.org/econe
>>
>> # Authentication driver for incomming requests
>> #   ec2, default Acess key and Secret key scheme
>> #   x509, for x509 certificates based authentication
>> :auth: ec2
>>
>> # Authentication driver to communicate with OpenNebula core
>> #   cipher, for symmetric cipher encryption of tokens
>> #   x509, for x509 certificate encryption of tokens
>> :core_auth: cipher
>>
>> $ cat apache2.conf
>> <VirtualHost *:443>
>>         servername cloud.opennebula.org
>>         SSLEngine on
>>         ProxyPass        /econe http://localhost:7141/
>>         ProxyPassReverse /econe http://localhost:7141/
>> </VirtualHost>
>>
>> If you use a path different from '/' the client must support this
>> feature, otherwise the authentication will fail. The econe tools
>> included in the 3.2.1 release support custom paths.
>>
>> Also if you want the proxy to listen in a different port from the
>> default (443) you can specify it in the ssl_parameter:
>> :ssl_server: https://cloud.opennebula.org:8082/
>>
>> Hope this helps
>>
>> On 2 February 2012 22:45, Ulrich Schwickerath
>> <ulrich.schwickerath at cern.ch>  wrote:
>>>
>>> Hi,
>>>
>>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ? The
>>> instructions on the web on this seem to be a bit out of date.
>>> I had it working fine with 3.0 but with 3.2 I get authentication errors
>>> (the
>>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works
>>> (although slower than before).
>>>
>>> Cheers,
>>> Ulrich
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>
>
> --
> --------------------------------------
> Dr. Ulrich Schwickerath
> CERN IT/PES-PS
> 1211 Geneva 23
> e-mail: ulrich.schwickerath at cern.ch
> phone:   +41 22 767 9576
> mobile:  +41 76 487 5602
>



-- 
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula



More information about the Users mailing list